Structuring Privacy and Information Security Competencies for Public Sector Roles: A Framework for Enhancing Software Quality and LGPD Compliance
Resumo
Context: The increasing complexity of digital public services has heightened the need for robust governance mechanisms in privacy and information security, particularly in light of Brazil’s General Data Protection Law (LGPD). However, public institutions often lack clearly defined roles, responsibilities, and competencies for professionals managing sensitive data and system security. Objective: This study aims to develop a comprehensive competency framework that maps the responsibilities and required knowledge, skills, and abilities (KSAs) for key privacy and information security roles in the Brazilian federal public administration. Method: We employed a design science approach, grounded in national regulations (LGPD, PPSI, IN GSI/PR nº 3/2021) and international standards (e.g., ISO/IEC 27701), to analyze legal and normative documents. The process included the identification of 24 institutional roles (8 in privacy, 16 in information security), the modeling of KSAs across three proficiency levels, and the use of the Analytic Hierarchy Process (AHP) to prioritize competencies. Results: The resulting framework provides structured competency profiles for each role, supporting training journey design, maturity assessment, and decision-making for role allocation. An interactive online platform makes the full model publicly accessible, offering practical tools for public sector adoption. Key findings highlight overlapping areas between privacy and security domains, reinforcing the need for coordinated institutional efforts. Conclusion: By clarifying role expectations and aligning them with legal and technical requirements, the framework supports public organizations in improving their institutional maturity in privacy and security governance. It also contributes to the quality, reliability, and trustworthiness of digital public services through strategic capacity-building.
Referências
Brasil. 2018. Lei nº 13.709, de 14 de agosto de 2018. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da República Federativa do Brasil 1 (2018), 1–23. [link]
Edna Dias Canedo, Angélica Toffano Seidel Calazans, Ian Nery Bandeira, Pedro Henrique Teixeira Costa, and Eloisa Toffano Seidel Masson. 2022. Guidelines adopted by agile teams in privacy requirements elicitation after the Brazilian general data protection law (LGPD) implementation. Requir. Eng. 27, 4 (2022), 545–567. DOI: 10.1007/S00766-022-00391-7
ENISA European Union Agency for Cybersecurity. 2022. European Cybersecurity Skills Framework Role Profiles. ENISA 1 (2022), 1–45. [link]
International Organization for Standardization (ISO). 2019. ISO/IEC 27701: 2019 Security techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management—Requirements and guidelines, ISO.
Husam Haqaf and Murat Koyuncu. 2018. Understanding key skills for information security managers. International Journal of Information Management 43 (2018), 165–172.
Guntur Budi Herwanto, Fajar J. Ekaputra, Gerald Quirchmayr, and A Min Tjoa. 2024. Toward a Holistic Privacy Requirements Engineering Process: Insights From a Systematic Literature Review. IEEE Access 12 (2024), 47518–47542. DOI: 10.1109/ACCESS.2024.3380888
Lennart Kiss and Rachelle Sellung. 2025. Human-centered design of a privacy assistant and its impact on perceived transparency and intervenability. i-com 24, 1 (2025), 159–172. DOI: 10.1515/ICOM-2024-0064
Maria Martins, Yuska Aguiar, and Juliana Saraiva. 2025. Assessment of Competences for LGPD DPO through ANPD Standard and Information Systems Curriculum. In Anais do XXI Simpósio Brasileiro de Sistemas de Informação (Recife/PE). SBC, Porto Alegre, RS, Brasil, 565–574. DOI: 10.5753/sbsi.2025.246585
Aryely Matos, Mario Patrício, Maria Isabel Nicolau, Edna Dias Canedo, Juliana Alves Pereira, and Anderson Uchôa. 2025. Data Privacy in Software Practice: Brazilian Developers’ Perspectives. Journal of Internet Services and Applications 16, 1 (Jun. 2025), 299–319. DOI: 10.5753/jisa.2025.5302
Mariana Maia Peixoto, Dayse Ferreira, Mateus Cavalcanti, Carla Silva, Jéssyka Vilela, João Araújo, and Tony Gorschek. 2023. The perspective of Brazilian software developers on data privacy. J. Syst. Softw. 195 (2023), 111523. DOI: 10.1016/J.JSS.2022.111523
Mariana Maia Peixoto, Tony Gorschek, Daniel Méndez, Carla Silva, and Davide Fucci. 2025. The Perspective of Agile Software Developers on Data Privacy. J. Softw. Evol. Process. 37, 2 (2025). DOI: 10.1002/SMR.2755
Augusto Heleno Ribeiro Pereira. 2021. Instrução Normativa GSI/PR Nº 3, DE 28 DE MAIO DE 2021. PRESIDÊNCIA DA REPÚBLICA 1 (2021), 1–13. [link]
M. Arya Putra Pratama, Augustina Asih Rumanti, and Yudha Prambudia. 2024. Prioritizing Indicator of Knowledge Management Capability for Small Medium Industries (SMIs) Using an Analytical Hierarchy Process (AHP). In Proceedings of the 2024 10th International Conference on Frontiers of Educational Technologies, ICFET 2024, Malacca, Malaysia, June 14-16, 2024. ACM, DOI: 10.1145/3678392.3678415 160–164.
MINISTÉRIO DA GESTÃO E DA INOVAÇÃO EM SERVIÇOS PÚBLICOS. 2024. PROGRAMA DE PRIVACIDADE E SEGURANÇA DA INFORMAÇÃO (PPSI), Versão 1.1.4. PRESIDÊNCIA DA REPÚBLICA 1 (2024), 1–178. [link]
Lucas Dalle Rocha and Edna Dias Canedo. 2025. Optimizing Compliance: Comparative Study of Data Laws and Privacy Frameworks. Journal of Internet Services and Applications 16, 1 (Jul. 2025), 431–452. DOI: 10.5753/jisa.2025.5247
Lucas Dalle Rocha, Geovana Ramos Sousa Silva, and Edna Dias Canedo. 2023. Privacy Compliance in Software Development: A Guide to Implementing the LGPD Principles. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing, SAC 2023, Tallinn, Estonia, March 27-31, 2023, Jiman Hong, Maart Lanperne, Juw Won Park, Tomás Cerný, and Hossain Shahriar (Eds.). ACM, DOI: 10.1145/3555776.3577615 1352–1361.
Marco Saltarella, Giuseppe Desolda, Rosa Lanzilotti, and Vita Santa Barletta. 2024. Translating Privacy Design Principles Into Human-Centered Software Lifecycle: A Literature Review. Int. J. Hum. Comput. Interact. 40, 17 (2024), 4465–4483. DOI: 10.1080/10447318.2023.2219964
Stefano Spósito, Fernando Moreira, and Edna Canedo. 2025. Designing a Training Journey for Privacy and Information Security Practitioners in the Federal Public Administration. In Anais do XXI Simpósio Brasileiro de Sistemas de Informação (Recife/PE). SBC, Porto Alegre, RS, Brasil, 95–104. DOI: 10.5753/sbsi.2025.246040
Stefano Luppi Spósito, João Francisco Gomes Targino, Geovana Ramos Sousa Silva, Laerte Peotta, Daniel de Paula Porto, Fábio Lúcio Lopes Mendonça, and Edna Dias Canedo. 2025. A Comprehensive Review of Techniques, Methods, Processes, Frameworks, and Tools for Privacy Requirements. Journal of Internet Services and Applications 16, 1 (Aug. 2025), 508–529. DOI: 10.5753/jisa.2025.5252
Lídia Tomaz, Patrícia Oliveira, and Éder Gualberto. 2024. Investigação da ferramenta Keycloak na Mitigação de Incidentes Cibernéticos: Uma Abordagem Integrada com o Programa de Privacidade e Segurança da Informação (PPSI). In Anais Estendidos do XXIV Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (São José dos Campos/SP). SBC, Porto Alegre, RS, Brasil, 201–204. DOI: 10.5753/sbseg_estendido.2024.243301
European Union. 2018. General Data Protection Regulation (GDPR). Intersoft Consulting, Accessed on October 24, 2019 1, 1 (2018), 1–100. [link]
Claes Wohlin, Per Runeson, Martin Höst, Magnus C. Ohlsson, Björn Regnell, and Anders Wesslén. 2012. Experimentation in Software Engineering. Springer, DOI: 10.1007/978-3-642-29044-2.
